International and Large Business, and High Net Worth Compliance Tax Audit Programs v2.0

International and Large Business Directorate
High Net Worth Compliance Directorate
Compliance Programs Branch

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Priceela Pursun
Director General
International and Large Business Directorate
Compliance Programs Branch

Adrianna McGillivray
Director General
High Net Worth Compliance Directorate
Compliance Programs Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Reporting compliance

The Compliance Programs Branch of the Canada Revenue Agency (CRA) protects the integrity of Canada’s self-assessment tax system through education and proactive efforts to help those who want to comply. We also work to ensure that Canada receives its share of taxes from international and large entities with complex financial transactions and taxpayers with offshore accounts.

The International and Large Business, and High Net Worth Compliance Directorates are responsible for identifying non-compliance, both domestically and internationally, through extensive business intelligence and risk assessment activities, including predictive analytics, legislative reviews, and work with informants. Depending on the level of risk identified, the appropriate approach is taken to address and deter non-compliance through a graduated approach including targeted communications, examinations, audits, and where warranted, penalties.  

Standard or institution specific class of record:

International and Large Business and Offshore and Aggressive Tax Planning Income Tax Audits and Examination
Record number: CRA CPB 415

Standard or institution specific personal information bank:

International and Large Business and High Net Worth Compliance Income Tax Audit Programs
Bank number: CRA PPU 035
TBS Registration Number: 002016

Legal authority for program or activity

• The Income Tax Act, Excise Tax Act, and Canada Revenue Agency Act give the CRA authority related to collecting personal information and applying third-party penalties:
• Section 220(1) of the  Income Tax Act: “ the Minister shall administer and enforce this Act and the Commissioner of Revenue may exercise all the powers and perform the duties of the Minister under this Act”
• Subsections 85(1), 85(2), and 97(2) of the Income Tax Act: disposition   or transfer of property by a taxpayer or partnership to a taxable Canadian corporation or Canadian corporation 
• Section 163.2 of the Income Tax Act and section 285.1 of the Excise Tax Act: authority to enforce penalties, including planner and preparer penalties, related to misrepresentation of a tax matter by a third party (promoters who market and sell abusive tax shelter arrangements)
• Section 231.1 of the Income Tax Act: authority to perform audits, examine documents, including books and records, and inspect property of the taxpayer or any person that may be relevant when determining the obligations or entitlements of the taxpayer or any other persons
• Section 231.2 of the Income Tax Act: authority to issue a requirement to provide documents or information
• Section 231.4 of the Income Tax Act: authority to conduct an inquiry to get information
• Section 231.5 of the Income Tax Act: authority to make or cause to be made one or more copies of any physical documents and to make or cause to be made a print-out of any electronic documents
• Section 231.6 of the Income Tax Act: authority to issue a requirement to provide information or documents originating in other countries
• Section 231.7 of the Income Tax Act: authority of a court to compel a person to provide information or documents sought under sections 231.1 and 231.2 of the Income Tax Act
• Sections 233.1 to 233.6 of the Income Tax Act: foreign reporting provisions
• Section 233.8 of the Income Tax Act: Country-by-Country Reporting Provisions
• Section 237.1 of the Income Tax Act: tax shelter provisions
• Section 237 of the Income Tax Act: social insurance numbers are required in information returns
• Section 237.3 of the Income Tax Act: reportable transactions provisions
• Section 237.4 of the Income Tax Act: notifiable transactions provisions
• Section 237.5 of the Income Tax Act: reportable uncertain tax treatments
• Section 244.2 of the Income Tax Act: electronic funds transfers provisions
• Section 263 to 268 of the Income Tax Act: enhanced international information reporting of U.S. reportable accounts
• Sections 270 to 281 of the Income Tax Act: common reporting standard provisions, and the authority for the collection and reporting of the taxpayer identifying number in Part XIX information returns
• Subparagraph 241(4)(e)(xii) of the ITA allows for the exchange of taxpayer information between two countries in accordance with a provision contained in a tax treaty with another country or in a listed international agreement, which includes tax information exchange agreements (TIEA), or the convention on Mutual Administrative Assistance in Tax Matters (MAAC).
• Section 61 of the Canada Revenue Agency Act: authority to enter into contracts, agreements, or other arrangements with governments, public or private organizations and agencies, or any person in the name of His Majesty in right of Canada or in the CRA’s own name

Summary of the project, initiative or change

Overview of the Program or Activity

The International and Large Business, and High Net Worth Compliance Tax Audit programs, are responsible for the delivery of activities relating to domestic tax, international tax, offshore non-compliance, aggressive tax planning and tax avoidance.

The overall mandate of the programs is to improve tax compliance regarding:

• international transactions and large businesses
• domestic and offshore non-compliance
• wealthy individuals and their related economic entities
• aggressive tax planning

This privacy impact assessment (PIA) document covers the following types of income tax audits:

Large business audits ensure income tax compliance of the largest and most complex business entities. This includes allocating provincial income, coordinating national risk assessment and workload planning, and providing analytical services and technical guidance on domestic tax issues.

International tax audits ensure reported world income and proper payment of taxes by non‑residents working or carrying on business in Canada, international cross-border transactions between related parties, transfer pricing, foreign accrual property income, foreign affiliate rules, and other international tax issues.

Tax avoidance audits identify and address emerging tax avoidance issues and arrangements, the review of tax shelters and promoters, and the application of the general anti-avoidance rule (GAAR). They administer the federal as well as the provincial GAAR for agreeing provinces and the Mandatory Disclosure Rules program.

Offshore compliance audits identify and address international transactions of unreported foreign income and undisclosed assets.

Aggressive tax planning audits identify and address emerging tax avoidance issues and arrangements and applying the general anti-avoidance rule.

Global high wealth audits identify and respond to high risk compliance issues involving wealthy individuals and their related economic entities.

Tax promoter and advisor audits address promoters and advisors who use offensive tax schemes and include third-party penalty audits.

The International and Large Business, and High Net Worth Compliance Tax Audit Programs take a balanced approach to compliance, which include:

• education, examinations, and audits, as well as referrals to investigations aimed at ensuring compliance with tax laws
• verification and enforcement activities at the international level, including administering international tax agreements
• giving information to taxpayers to encourage compliance
• compliance research to better identify non‑compliance and improve strategies to deal with it

The International and Large Business, and High Net Worth Compliance Tax Audit Programs promote, and verify compliance of the most complex business entities,  wealthy individuals, and their related entities. This is done through:

• strategically planned audits
• escalating enforcement measures
• the use of business intelligence for risk assessment
• legislative review

The International and Large Business, and High Net Worth Compliance Tax Audit Programs is constantly developing and refining initiatives that focus on large businesses and the wealthy population (such as, large business, international tax, offshore, aggressive tax planning, global high wealth, and tax promoter and advisor audits). Therefore, the International and Large Business, and High Net Worth Compliance Tax Audit Programs will review and update this PIA when necessary and refer to it during consultations with the Office of the Privacy Commissioner and when doing any necessary PIB updates.

What’s New

The CRA made changes to reflect current operating practices and to improve the International and Large Business, and High Net Worth Compliance Tax Audit Programs ability to get, secure, and view data. The following are key changes and initiatives that have an impact on the programs’ privacy practices.

The International and Large Business, and High Net Worth Compliance Tax Audit Programs modernized its audit tools. This will help us to better manage and expand the use of internal and third party data. And it will support risk assessment processes and help establish relationship identification processes.

The Canada emergency wage subsidy (CEWS) was a temporary subsidy program developed to support Canadian businesses. It enabled them to re-hire workers, help prevent further job losses, and ease back into normal operations. Bill C-14 was introduced on April 11, 2020. Eligible entities could apply to claim the subsidy starting on April 27, 2020, the program continued until October 23, 2021, and the deadline to apply for the CEWS final claim period was April 21, 2022. Because the claim periods are now over, the CRA is focused only on post-payment compliance, which follows existing compliance processes and activities.

Acquiring data includes purchased datasets, publicly available data leaks, public registry data and EFT information, and information exchanged with other countries in accordance with Canada network of tax treaties and information sharing agreements (see Tax treaties - Canada.ca for more information). This change contributes to the CRA’s efforts to combat international tax avoidance and to identify high-risk taxpayers attempting to avoid their tax obligations. The ability to match incoming financial data to existing CRA data supports risk assessment, screening, and audit processes. This data matching is a crucial source of intelligence used to pursue and enforce tax compliance domestically and internationally.

On April 6, 2021, the CPB introduced a two-way communications email service. This service allows those under audit (taxpayers, business owners, or authorized representatives) to share unprotected and protected information through unencrypted email. The information they share may include attached documents (up to and including Protected B documents). However, the auditor is allowed to send only emails with unprotected information.

The CRA works with a solution that lets you securely share confidential messages, documents, and files outside of a corporate firewall with one or many customers, colleagues, partners, and suppliers. It’s ideal for government departments and agencies that require secure electronic delivery of Protected A- and Protected B-level documents. The solution should be used only if the CRA’s online services are not an option.

The CRA has an agreement with a service provider to use their platform to securely, efficiently, and cost effectively send, receive, and track large volumes of electronic data and confidential files between the CRA and external organizations and individuals. This is an interim solution that will be available until there is a permanent solution in place that meets the requirements.

Another secure way to exchange information digitally with the CRA is the Secure Drop Zone. This is a secure two-way service which allows the CRA, taxpayers, third parties, and other partners to digitally exchange information on an ad-hoc basis outside the CRA’s other online services.

As of January 23, 2023, the incoming paper documents are digitized and uploaded into the Document Management Portal. The digitized forms are:

• Form T106, Information Return of Non-Arm’s Length Transactions with Non-Residents
• Form T1134, Information Return Relating To Controlled and Non-Controlled Foreign Affiliates (2011 and later taxation year)
• Form T1135, Foreign Income Verification Statement
• Form  T1141, Information Return in Respect of Contributions to Non-Resident Trusts, Arrangements or Entities
• Form  T1142, Information Return in Respect of Distributions form and Indebtedness to a Non-Resident Trust

Some of the supporting documents include financial statements, organization charts, trust documents, and correspondence. Authorized users will be able to view the digitized forms instead of requesting the paper copy.

Mandatory disclosure rules

Canada’s enhanced mandatory disclosure rules are a set of reporting requirements which received royal assent on June 22, 2023. The changes to the rules align with international best practices and  the reporting requirements helps CRA identify and to respond to tax risks.

Who may be impacted: individuals, corporations, trusts, partnerships, advisors, promoters, or certain non-arm’s length parties.

The changes to the rules (Income Tax Act sections 237.3 to 237.5) are:

• changes to existing reportable transaction rules
• a new rule to report notifiable transactions
• a new rule to report reportable uncertain tax treatments
• related penalties according to new rule

Mandatory Disclosure Rules are reported on:

• Form RC312, Reportable Transaction and Notifiable Transaction Information Return (2023 and later tax years)
• Form RC3133, Reportable Uncertain Tax Treatments Information Return (2023 and later tax years)

Not complying with these mandatory disclosure rules will result in penalties and extended reassessment periods.

For transactions occurring on or after January 1, 2024, taxpayers may also file a disclosure under the reportable transaction rules, even if they don’t apply, to avoid penalties and extended reassessment periods when the General Anti-Avoidance Rule is applied.

Country-by-Country Reporting

Country-by-Country Reporting requirements came into effect for fiscal years beginning on or after January 1, 2016.

The CRA implemented Country-by-Country Reporting as part of Canada’s commitment to the Organisation for Economic Co‑operation and Development/G20 Base Erosion and Profit Shifting Action Plan, specifically Action 13.

In Canada, Country-by-Country Reporting is legislated under section 233.8 of the Income Tax Act, which requires certain large multinational enterprise (MNE) groups to file an annual Country-by-Country report with the CRA. The Country-by-Country Reporting requirements apply to large multinational enterprises with total annual consolidated group revenue above a specified threshold. These multinational enterprises must file a Country-by-Country report with the CRA, which includes detailed financial and tax information for each country in which they operate.

To administer and enforce the Country-by-Country Reporting requirements, the CRA may need to collect the personal information of individuals authorized to act on behalf of the multinational enterprises. The CRA collects these individuals’ information in their capacity as a representative (such as a tax advisor) or as an employee of the business (such as a chief executive officer, chief financial officer, or tax director).

The CRA will use the personal information to communicate with these individuals in their representative roles. The CRA may also use this information to contact multinational enterprises regarding compliance activities related to the Country-by-Country Reporting requirements.

Scope of the Privacy Impact Assessment

This privacy impact assessment is intended to address the collection, use, storage, and disposal of personal information for International and Large Business, and High Net Worth Compliance Tax Audit Programs activities.

Activities that are part of the Competent Authority Services, the Exchange of Information Sections, the Criminal Investigations Program, or the Offshore Tax Informant Program are excluded from this PIA.

This PIA should be read along with the following privacy assessments related to business intelligence, competent authority activities, and other compliance activities:

• Enhanced Financial Account Information Reporting - Part XVIII v 3.0
• Business Intelligence & Compliance Risk Assessment v 2.0
• Common Reporting Standard Income Tax Act Part XIX v 2.0
• Business intelligence research and development environment v 2.0
• Offshore Tax Informant Program v 3.0
• COVID-19 Subsidy Initiatives for Business Entities

Risk identification and categorization

A) Type of program or activity

Compliance and regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

The International and Large Business, and High Net Worth Compliance Tax Audit Programs use the CRA’s audit and inspection powers under the Income Tax Act to collect information related to domestic tax, international tax, offshore non-compliance, aggressive tax planning, and tax avoidance and determine if taxpayers are complying with the Act. The vast majority of cases involve only administrative consequences, such as audits resulting in additional taxes owing or civil penalties. The International and Large Business, and High Net Worth Compliance Tax Audit Programs do not undertake criminal prosecutions. In some cases, the personal information collected during an audit may be transferred to criminal investigations for criminal prosecution. (For more information, refer to the Criminal Investigations Program v2.0 - Canada.ca.)

B) Type of personal information involved and context

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, and the context surrounding the personal information, is particularly sensitive.  

Level of risk to privacy: 4

Details:

Personal information may include the social insurance number, financial information, or other sensitive information. In some cases, indirect income verification may be necessary, which would include getting personal banking or lifestyle information of taxpayers and other members of their household to identify possible offshore asset holdings.

C) Program or activity partners and private sector involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy: 4

Details:

In line with the Income Tax Act, the CRA may collect information from and share information with participating provincial or territorial partners and other federal institutions. The CRA may share information with foreign governments, in line with existing tax treaties, tax information exchange agreements, or the Multilateral Convention on Mutual Administrative Assistance in Tax Matters. Subparagraph 241(4)(e)(xii) of the Income Tax Act allows the CRA to exchange taxpayer information with the tax administration of another country. The exchange must be in line with a tax treaty between Canada and the other country or a listed international agreement, which includes tax information exchange agreements and the Mutual Administrative Assistance in Tax Matters.

Information is typically exchanged to either determine the facts related to the rules of an income tax convention or to help one of the countries administer and enforce its domestic tax law. 

In some cases, the CRA may use an external third-party service to help identify more risk factors for individual and business income tax accounts. For example, third-party information from data leaks, publicly available sources, suppliers, financial institutions, formal requirements for information, and paid external sources, such as real estate and credit bureaus, may include details on a taxpayer’s personal and business activities. Also, paper copies of personal information may be stored and retained at a private-sector records storage facility.

Joint International Taskforce on Shared Intelligence and Collaboration Network

The Joint International Taskforce on Shared Intelligence and Collaboration Network provides a platform that enables its members to actively collaborate within the legal framework of effective bilateral and multilateral conventions and tax information exchange agreements. The framework allows for operational collaboration, sharing information and intelligence, and taking coordinated cross-border compliance actions, which may involve specific issues, industries or taxpayers.

Enhanced financial account information reporting

The Foreign Account Tax Compliance Act requires financial institutions outside the United States to report to the Internal Revenue Service accounts held by U.S. taxpayers.

The Canadian government has an agreement related to the Act to optimize the exchange of tax information with the U.S. government under the existing Canada–U.S. Tax Convention. The intergovernmental Agreement for the Enhanced Exchange of Tax Information under the Canada–U.S. Tax Convention includes the following points:

• to be consistent with Canada’s privacy laws, Canadian financial institutions transmit annually the relevant information to the CRA, and then the CRA exchanges the information with the IRS through the existing provisions of the Canada–U.S. Tax Convention
• the Internal Revenue Service gives the CRA enhanced and increased information on certain accounts of Canadian residents held at U.S. financial institutions
• Part XVIII was added to the Income Tax Act, implementing the intergovernmental agreement and reporting obligations in Canada

The Foreign Account Tax Compliance Act is covered under the Enhanced Financial Account Information Reporting PIA.

Common reporting standard

Part XIX of the Income Tax Act implements the common reporting standard due diligence and reporting obligations in Canada.

The common reporting standard is an international standard of tax cooperation that has been implemented by more than 100 participating jurisdictions, including Canada. Under the common reporting standard:

• reporting Canadian financial institutions must take steps to identify and report to the CRA the financial accounts held in Canada by, or for the benefit of, non-residents, including entities controlled by one or more non-resident persons
• this information is then available for sharing with the jurisdiction in which the account holder or the controlling person resides for tax purposes, under the provisions and safeguards of the multilateral convention on Mutual Administrative Assistance in Tax Matters

Account information the CRA collects from Canadian financial institutions and exchanges under the CRS includes the individual’s:

• name
• address
• date of birth
• foreign taxpayer’s identification number
• account number
• account balance or value
• certain amounts paid or credited to their account

The CRS is covered by the Common Reporting Standard Income Tax Act Part XIX v 2.0 PIA.

Electronic Funds Transfer (EFT)

Financial institutions are required to report international electronic funds transfers (EFTs) of $10,000 or more to the CRA. This information helps the CRA to identify taxpayers who may be participating in tax avoidance or who may be attempting to conceal income and assets offshore.

Multiple transactions that total $10,000 or more are considered to be a single transaction and must be reported if:

• they were made within 24 consecutive hours
• the reporting entity knows the transfers:
  • were requested by, or on behalf of, the same person or entity, or
  • are for the same beneficiary

D) Duration of the program or activity

Long-term programs

Level of risk to privacy: 3

Details:

Income tax audit activities done by the International and Large Business, and High Net Worth Compliance Tax Audit Programs are ongoing, long-term activities which ensure the integrity of the self-assessment system. Some activities may change focus or be added, but the programs’ primary mandate remains the audit of income tax returns to make sure taxpayers are complying with the Income Tax Act.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The income tax audit activities done by the International and Large Business, and High Net Worth Compliance Tax Audit Programs can affect businesses and individuals who have filed an income tax or related information return.

The International and Large Business Program activities focus on corporate economic entities.

The High Net Worth Compliance Program activities focus on individuals and their domestic and international related entities, as well as tax promoters and advisors.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   Risk to privacy: No
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: Yes

G) Personal information transmission

The personal information is transmitted using wireless technologies. 

Level of risk to privacy: 4

Details:

Personal information is pulled from the CRA’s internal systems and is sent to partner organizations electronically using Government of Canada-approved encryption technologies.

Personal information can be used in a system that has access to other systems and can be transferred to a secure portable device encrypted using CRA approved encryption.

Some employees work on CRA-issued laptops and use CRA-issued cell phones. CRA laptops and cell phones comply with the Government of Canada’s encryption and security standards. Any telework is done through secure remote access.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If a person’s personal information becomes compromised, they may become a victim of identity theft. The person’s information may also be used without their knowledge or consent in ways that could result in a reputational or financial loss, such as the misuse of their credit card information or debts being incurred on their behalf. Depending on the nature of the information, a public release could cause embarrassment, the loss of personal or professional standing, or other negative effects.